Tuesday, June 05, 2007
ChoicePoint settles with 44 states over 2005 breach
ChoicePoint settles with 44 states over 2005 breach
Dan Kaplan Jun 1 2007 18:03
ChoicePoint, the data broker hit with the largest fine in Federal Trade Commission (FTC) history, has now settled with 44 states over a 2005 breach that compromised the personal information of 163,000 people.
The Atlanta-based company agreed to pay $500,000 to the states, in addition to adopting new security controls, including more stringent credentialing requirements when considering new clients - businesses, government agencies or nonprofits - who want access to ChoicePoint’s stockpile of consumer information.
The agreement, announced Thursday by the attorneys general of a number of states, is the most recent fallout resulting from ChoicePoint’s failure to adequately protect private information from hackers posing as customers, who illegally accessed a database.
Matt Furman, a ChoicePoint spokesman, told SCMagazine.com today that the settlement - which resulted out of an investigation launched by the attorneys general of 43 states and the District of Columbia - is another voluntary step the company is taking to rid itself of the stigma caused by the breach. The ChoicePoint incident is widely considered the watershed event in information disclosure.
"It's consistent with our efforts to make our security procedures even stronger," Furman said. "We want to make sure customers are who they say they are."
Attorneys general said the agreement will help further protect the nation's citizens.
"This settlement should set a new standard for any company entrusted with private, personally identifiable information," Connecticut Attorney General Richard Blumenthal said in a statement. "Data collection firms hold the key to our financial worlds – data that can irreversibly unlock our personal vault and expose us to identity theft."
The FTC has identified about 1,400 ChoicePoint fraud victims, who will be reimbursed for costs associated with identity theft. Early last year, the agency slapped ChoicePoint with a record $15 million penalty for shoddy data protection - $5 million of which will go to customer redress.
"Identity theft is one of the nation’s fastest growing criminal enterprises," Texas Attorney General Greg Abbott said Thursday in a statement. "With businesses and consumers losing billions of dollars each year, law enforcement must aggressively crack down on identity theft."
A ChoicePoint spokesman could not immediately be reached for comment.
Dan Kaplan Jun 1 2007 18:03
ChoicePoint, the data broker hit with the largest fine in Federal Trade Commission (FTC) history, has now settled with 44 states over a 2005 breach that compromised the personal information of 163,000 people.
The Atlanta-based company agreed to pay $500,000 to the states, in addition to adopting new security controls, including more stringent credentialing requirements when considering new clients - businesses, government agencies or nonprofits - who want access to ChoicePoint’s stockpile of consumer information.
The agreement, announced Thursday by the attorneys general of a number of states, is the most recent fallout resulting from ChoicePoint’s failure to adequately protect private information from hackers posing as customers, who illegally accessed a database.
Matt Furman, a ChoicePoint spokesman, told SCMagazine.com today that the settlement - which resulted out of an investigation launched by the attorneys general of 43 states and the District of Columbia - is another voluntary step the company is taking to rid itself of the stigma caused by the breach. The ChoicePoint incident is widely considered the watershed event in information disclosure.
"It's consistent with our efforts to make our security procedures even stronger," Furman said. "We want to make sure customers are who they say they are."
Attorneys general said the agreement will help further protect the nation's citizens.
"This settlement should set a new standard for any company entrusted with private, personally identifiable information," Connecticut Attorney General Richard Blumenthal said in a statement. "Data collection firms hold the key to our financial worlds – data that can irreversibly unlock our personal vault and expose us to identity theft."
The FTC has identified about 1,400 ChoicePoint fraud victims, who will be reimbursed for costs associated with identity theft. Early last year, the agency slapped ChoicePoint with a record $15 million penalty for shoddy data protection - $5 million of which will go to customer redress.
"Identity theft is one of the nation’s fastest growing criminal enterprises," Texas Attorney General Greg Abbott said Thursday in a statement. "With businesses and consumers losing billions of dollars each year, law enforcement must aggressively crack down on identity theft."
A ChoicePoint spokesman could not immediately be reached for comment.
Labels: ChoicePoint
Thursday, January 26, 2006
ChoicePoint fined $10M for security breach
By Jaikumar Vijayan with ComputerWorld
The U.S. Federal Trade Commission (FTC) has imposed a $10 million civil penalty against data aggregator ChoicePoint Inc. for a massive data security breach that resulted in the compromise of nearly 160,000 consumer records last year (see "ChoicePoint to tighten data access after ID theft").
In addition to the penalty, which FTC Chairman Deborah Platt Majoras described as the largest ever levied by the agency, ChoicePoint has been asked to set up a $5 million trust fund for individuals who might have become victims of identity theft as a result of the breach.
As part of its agreement with the FTC, Alpharetta, Ga.-based ChoicePoint will also have to submit to comprehensive security audits every two years for the next 20 years.
"This is an important victory for consumers," Majoras said. "This tells companies that they must protect sensitive consumer information. They must guard the front door as well as guard the back door against hackers."
ChoicePoint provides data to credit providers, government agencies, landlords and others who use personal information to process loans, leases and other contracts. In a statement today (download PDF), Derek V. Smith, the company's chairman and CEO, said the incident "provided critical lessons from which ChoicePoint, and indeed the entire industry, has learned a great deal.
"The men and women of this company take nothing more seriously than their responsibility to safeguard consumer information and, as a direct result of those lessons learned, we have for the past several months been in the process of implementing nearly all the changes reflected into today's settlement," Smith said.
ChoicePoint publicly acknowledged the data theft last February, but the incident itself took place in the fall of 2004. At the time it made the breach public, ChoicePoint said the theft happened when "a small number of very well-organized criminals posed as legitimate companies to gain access to personal information about consumers."
It also said later that it was taking steps to better protect customer data, pointing to a "rigorous re-credentialing of broad categories of customer accounts" as well as changes including masking or truncating sensitive personal identifier information such as Social Security numbers and driver's license numbers.
The $10 million penalty is being levied for violations of the Fair Credit Reporting Act (FCRA), Majoras said. Though ChoicePoint collected and maintained billions of pieces of consumer data -- including consumer names, Social Security numbers, and bank and credit card information -- the company failed to implement reasonable procedures for protecting the data, she said.
In its decision, the FTC slammed ChoicePoint, saying that it did not have reasonable procedures in place to screen prospective subscribers and that it turned over sensitive personal information to subscribers whose applications raised obvious red flags. The FTC said ChoicePoint approved customers for its service who lied about their credentials and used commercial mail drops as business addresses. In addition, the applicants reportedly used fax machines at public commercial locations to send multiple applications for separate companies.
According to the FTC, ChoicePoint also failed to tighten its application approval procedures or monitor subscribers, even after it got subpoenas from law enforcement authorities alerting it to fraudulent activity that dated to 2001.
The agency also charged that ChoicePoint violated the FCRA by making false and misleading statements about its privacy policies.
Under the agreement with the FTC, ChoicePoint is barred from providing consumer reports to individuals and companies that cannot demonstrate a legitimate need for that information, Majoras said. To ensure compliance with that requirement, ChoicePoint will be required to certify the nature of the business of each of its subscribers and how the consumer information will be used, Majoras said.
ChoicePoint is also required to do site visits to authenticate its subscribers, except in cases where the company might have already done so. The company also must implement reasonable measures to ensure that its subscribers use consumer information in the manner they attest to in their applications, she said.
Until now, the largest civil penalty imposed by the FTC against a company was in March 2003, when the agency imposed a $7 million fine against Boston Scientific for anticompetitive practices.
The U.S. Federal Trade Commission (FTC) has imposed a $10 million civil penalty against data aggregator ChoicePoint Inc. for a massive data security breach that resulted in the compromise of nearly 160,000 consumer records last year (see "ChoicePoint to tighten data access after ID theft").
In addition to the penalty, which FTC Chairman Deborah Platt Majoras described as the largest ever levied by the agency, ChoicePoint has been asked to set up a $5 million trust fund for individuals who might have become victims of identity theft as a result of the breach.
As part of its agreement with the FTC, Alpharetta, Ga.-based ChoicePoint will also have to submit to comprehensive security audits every two years for the next 20 years.
"This is an important victory for consumers," Majoras said. "This tells companies that they must protect sensitive consumer information. They must guard the front door as well as guard the back door against hackers."
ChoicePoint provides data to credit providers, government agencies, landlords and others who use personal information to process loans, leases and other contracts. In a statement today (download PDF), Derek V. Smith, the company's chairman and CEO, said the incident "provided critical lessons from which ChoicePoint, and indeed the entire industry, has learned a great deal.
"The men and women of this company take nothing more seriously than their responsibility to safeguard consumer information and, as a direct result of those lessons learned, we have for the past several months been in the process of implementing nearly all the changes reflected into today's settlement," Smith said.
ChoicePoint publicly acknowledged the data theft last February, but the incident itself took place in the fall of 2004. At the time it made the breach public, ChoicePoint said the theft happened when "a small number of very well-organized criminals posed as legitimate companies to gain access to personal information about consumers."
It also said later that it was taking steps to better protect customer data, pointing to a "rigorous re-credentialing of broad categories of customer accounts" as well as changes including masking or truncating sensitive personal identifier information such as Social Security numbers and driver's license numbers.
The $10 million penalty is being levied for violations of the Fair Credit Reporting Act (FCRA), Majoras said. Though ChoicePoint collected and maintained billions of pieces of consumer data -- including consumer names, Social Security numbers, and bank and credit card information -- the company failed to implement reasonable procedures for protecting the data, she said.
In its decision, the FTC slammed ChoicePoint, saying that it did not have reasonable procedures in place to screen prospective subscribers and that it turned over sensitive personal information to subscribers whose applications raised obvious red flags. The FTC said ChoicePoint approved customers for its service who lied about their credentials and used commercial mail drops as business addresses. In addition, the applicants reportedly used fax machines at public commercial locations to send multiple applications for separate companies.
According to the FTC, ChoicePoint also failed to tighten its application approval procedures or monitor subscribers, even after it got subpoenas from law enforcement authorities alerting it to fraudulent activity that dated to 2001.
The agency also charged that ChoicePoint violated the FCRA by making false and misleading statements about its privacy policies.
Under the agreement with the FTC, ChoicePoint is barred from providing consumer reports to individuals and companies that cannot demonstrate a legitimate need for that information, Majoras said. To ensure compliance with that requirement, ChoicePoint will be required to certify the nature of the business of each of its subscribers and how the consumer information will be used, Majoras said.
ChoicePoint is also required to do site visits to authenticate its subscribers, except in cases where the company might have already done so. The company also must implement reasonable measures to ensure that its subscribers use consumer information in the manner they attest to in their applications, she said.
Until now, the largest civil penalty imposed by the FTC against a company was in March 2003, when the agency imposed a $7 million fine against Boston Scientific for anticompetitive practices.
Labels: ChoicePoint
